On Fri, Aug 13, 2021 at 9:42 PM Mark Reynolds <[email protected]> wrote:

>
> On 8/13/21 2:40 PM, Michael Starling wrote:
>
>
>
> ------------------------------
> *From:* Michael Starling <[email protected]>
> <[email protected]>
> *Sent:* Friday, August 13, 2021 10:41 AM
> *To:* Mark Reynolds <[email protected]> <[email protected]>;
> General discussion list for the 389 Directory server project.
> <[email protected]> <[email protected]>
> *Subject:* Re: [389-users] How to replicate password lockout attributes
> from a consumer or hub to a master(s)
>
>
>
> ------------------------------
> *From:* Michael Starling <[email protected]>
> <[email protected]>
> *Sent:* Thursday, August 12, 2021 3:29 PM
> *To:* Mark Reynolds <[email protected]> <[email protected]>;
> General discussion list for the 389 Directory server project.
> <[email protected]> <[email protected]>
> *Subject:* Re: [389-users] How to replicate password lockout attributes
> from a consumer or hub to a master(s)
>
>
>
> ------------------------------
> *From:* Mark Reynolds <[email protected]> <[email protected]>
> *Sent:* Thursday, August 12, 2021 3:16 PM
> *To:* Michael Starling <[email protected]>
> <[email protected]>; General discussion list for the 389 Directory
> server project. <[email protected]>
> <[email protected]>
> *Subject:* Re: [389-users] How to replicate password lockout attributes
> from a consumer or hub to a master(s)
>
>
>
> On 8/12/21 2:33 PM, Michael Starling wrote:
>
>
>
> ------------------------------
> *From:* Mark Reynolds <[email protected]> <[email protected]>
> *Sent:* Thursday, August 12, 2021 11:48 AM
> *To:* General discussion list for the 389 Directory server project.
> <[email protected]> <[email protected]>;
> Michael Starling <[email protected]> <[email protected]>
> *Subject:* Re: [389-users] How to replicate password lockout attributes
> from a consumer or hub to a master(s)
>
>
>
> On 8/12/21 10:53 AM, Michael Starling wrote:
>
> Hello.
>
> I've taken over a large 389-ds environment running on Oracle Linux 8 and
> the first task I need to complete is to enable password lockouts.
>
>
>
> I was able to enable password lockouts successfully however it only works
> if the client is pointed directly to a master. The account locks out and
> the attributes are propagated down to the hubs and consumers.
>
> If the client is pointed to a read-only hub or consumer then the account
> does not lockout and the password attributes do not propagate back to the
> masters.
>
> *passwordIsGlobalPolicy*: on is set on all masters, hubs and consumers
>
> Password policy attributes I expect to replicate:
>
> *passwordRetryCount*
> *accountUnlockTime*
> *retryCountResetTime*
>
> I've tried following the chaining guide below which I think is what I need
> to do to get this work as expected, however I've hit a snag.
>
>
> https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html
> 389 Directory Server - Howto:ChainOnUpdate
> <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html>
> Introduction. The usual deployment for a large replication topology will
> have the client applications reading from hubs or dedicated consumers in
> order to spread out the load and off-load search request processing from
> the masters.
> directory.fedoraproject.org
> The document states the backend must be added to the hub or consumer,
> however when I try and add the following LDIF to the hub I get the
> "unwilling to perform" error.
>
> This makes sense because the hub is read-only so I'm confused as how I can
> update the config on a read-only hub or consumer?
>
> Hi Michael,
To complete Mark's answer and try to solve your confusion:
 hub and consumer are read-only replicas (i.e backends)
 cn=config is another backend that is still writable.
So you should not be able to modify the entries in the replicated suffix (
   and should instead get referrals towards the master(s)) but you should
still be able to modify the config.
Regards,
   Pierre


> dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
> objectclass: top
> objectclass: extensibleObject
> objectclass: nsBackendInstance
> cn: chainlab
> nsslapd-suffix: dc=domain,dc=com
> nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389
> ldap://dsa3.domain.com:389
> nsmultiplexorbinddn: uid=repluser,cn=config
> nsmultiplexorcredentials: mypassword
> nsCheckLocalACI: on
>
> adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
> ldap_add: Server is unwilling to perform (53)
>
> This is the doc you want to follow to get this working.  But it is
> complicated...
>
>
> In this case I'm not sure why the error 53 is being returned.  There is
> something about that entry it does not like.  So please check the access
> and errors log from the time of this failure (see
> /var/log/dirsrv/slapd-YOUR_INSTANCE/).  There is usually more info logged
> when an error 53 happens.
>
>
> Also what version of 389-ds-base are you running?
>
>
> Thanks,
> Mark
>
> Hub or Consumer
>
> Step 1 (Hub and Consumer): the chaining backend must be created on the hub
> and consumer:
>
> dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
> objectclass: top
> objectclass: extensibleObject
> objectclass: nsBackendInstance
> cn: chainbe1
> nsslapd-suffix: <suffix to replicate>
> nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # 
> also, ldaps can be used instead
>                                                                           # 
> of ldap for secure connections -
>                                                                           # 
> requires the secure port
> nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the 
> replica bind DN is on the supplier
> nsmultiplexorcredentials: password
> nsCheckLocalACI: on
>
>
> Any help would be greatly appreciated.
>
> Thanks
>
> _______________________________________________
> 389-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
>
> --
> Directory Server Development Team
>
> Thanks for getting me the right track Mark. Looks like the "nsFarmServerURL" 
> is not correct.
>
> Versions:
> 389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
> 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
>
> I thought I was maybe hitting the bug described below so I added a trailing 
> "/" but the issue persists.
> https://bugzilla.redhat.com/show_bug.cgi?id=1363970
>
> nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 
> ldap://dsa3.domain.com:389*/*
>
> This is what I see in the logs on the hub when trying to add the LDIF.
>
> The idea is for the hub to send these password attributes back to all masters.
>
> These are the masters in the environment.
> ldap://dsa1.domain.com:389
> ldap://dsa2.domain.com:389
> ldap://dsa3.domain.com:389
> [12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database - 
> cb_instance_config_initialize - *Error with config attribute nsfarmserverurl 
> : not a valid LDAP URL*
> [12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database - 
> cb_instance_add_config_check_callback - Can't instantiate chaining backend 
> instance chainlab.
> [12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database - 
> cb_instance_config_initialize - Error with config attribute nsfarmserverurl : 
> not a valid LDAP URL
> [12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database - 
> cb_instance_add_config_check_callback - Can't instantiate chaining backend 
> instance chainlab.
> [12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database - 
> cb_instance_config_initialize - Error with config attribute nsfarmserverurl : 
> not a valid LDAP URL
> [12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database - 
> cb_instance_add_config_check_callback - Can't instantiate chaining backend 
> instance chainlab.
> [12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database - 
> cb_instance_config_initialize - Error with config attribute nsfarmserverurl : 
> not a valid LDAP URL
> [12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database - 
> cb_instance_add_config_check_callback - Can't instantiate chaining backend 
> instance chainlab
>
>  Ok, I think its not liking the multiple values in the attribute, even
> though the document says you have multiple urls.  I think you need to add
> the config like this:
>
>
> nsfarmserverurl: ldap://dsa1.domain.com:389
>
> nsfarmserverurl: ldap://dsa2.domain.com:389
>
> nsfarmserverurl: ldap://dsa3.domain.com:389
>
>
> Give it a try?
>
>
> HTH,
>
> Mark
>
>
> --
> Directory Server Development Team
>
> Looks like it only added the first entry. Do I need to add an entry for each 
> MAster?
>
> dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsBackendInstance
> cn: chainlab
> nsslapd-suffix: dc=domain,dc=com
> *nsfarmserverurl: ldap://dsa1.domain.com:389*
> nsmultiplexorbinddn: uid=replicator,cn=config
> nsmultiplexorcredentials: 
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA==
> nsbindconnectionslimit: 3
> nsoperationconnectionslimit: 20
> nsabandonedsearchcheckinterval: 1
> nsconcurrentbindlimit: 10
> nsconcurrentoperationslimit: 2
> nsproxiedauthorization: on
> nsconnectionlife: 0
> nsbindtimeout: 15
> nsreferralonscopedsearch: off
> nschecklocalaci: on
> nsbindretrylimit: 3
> nsslapd-sizelimit: 2000
> nsslapd-timelimit: 3600
> nshoplimit: 10
> nsmaxresponsedelay: 60
> nsmaxtestresponsedelay: 15
> nsusestarttls: off
>
> Hi Mark.
>
> I tried adding the subsequent URL's and it doesn't allow multiple entries for 
> this attribute.
>
> It appears all the URLS need to be part of the one *nsfarmserverurl* 
> attribute*.*
>
>  *ldap_initialize( ldap://dsa4.domain.com )*
> *add nsFarmServerURL:        ldap://dsa2.domain.com:389modifying entry 
> "cn=chainlab,cn=chaining database,cn=plugins,cn=config"ldap_modify: Server is 
> unwilling to perform (53)**        additional info: Adding attributes is not 
> allowed*
>
>  *I believe I have this working now.*
>
>  *Thank you Mark for getting me pointed in the right direction.*
>
> Were you able to set multiple urls?  Or did you just go with one for now?
>
>
> Mark
>
> --
> Directory Server Development Team
>
> _______________________________________________
> 389-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 
--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to